LC Updates

Discussing next piece of work for consent receipt and a possible GDPR toolkit

New Mission Statement: Kantara Initiative is the global consortium improving trustworthy use of identity and personal data through innovation, standardization and good practice

Participant updates

Discussion

Charter vote

Ken will send out the revised charter before we vote - strong recommendation at LC meeting to see how they contribute to the mission statement.

Report from last week's TFTM meeting on IDEF mapping

IDEF mapping - IDESG trust framework and trust mark workgroup had a mapping exercise to see how the KI might meet the requirements of their ID Ecosystem framework, and send it back to use to comment on. IDESG has a self-attestation registry of companies that want to declare that they meet the ID Ecosystem baseline requirements. The idea would be whether a Kantara Initiative assessment could be used to reuse assessment against the IDEF. We agreed with most suggestions, had a meeting last week to check notes, read the response and check notes if they need it. Scott will add email from Andrew following the call - a list of items that IAWG should consider, how to be prepared. Similar guidance to IDESG as well. No major arguments on the call. Compared notes.

Discussion of 800-63C

Collecting comments from those on the call.

Scott - credential generation and other lifecycle issues are missing from the discussion

RGW - agree, not certain those issues need to be in the NIST 800-63 document

Andrew points out 800-63B has a section called lifecycle management. RGW agrees but notes that there are many requirements stuffed in there.

Ken asks if anything changes if it happens in a federated context as opposed to the context B was written in.

RGW suggests that it depends whether the federation includes requirements to be a member of the club. Only becoming more of a concern as reading 63B and 63C. Many SHOULD statements - as we know, if is says SHOULD then they probably won't.

Globally we have a comment that SHALL and SHOULD need to be clear. Each distinct SHALL or SHOULD ought to be in a single paragraph.

Andrew observes it's a similar comment to last week - the document is a mixture of explanatory material, guidance material and requirements material.

Ken suggest we could comment them for adopting a normative style.

General agreement that the document is not ready for prime time.

Andrew notes that we appreciate the shift towards normative language in the requirements, but the phrasing of some requirements makes it difficult to have certainty that the implementation meets those requirements. As assessors there is also uncertainty about how to evaluate the conformity. Uncertainty then leads to inconsistency.

RGW has one other broad topic - 4.2 of 63C - requirements on federal agencies slapped on the end of the section. Perhaps including it in an annex instead of including in the rest of the flow of the document. The agency guidance at the end of the privacy section is a non-sequitur with respect to the rest of the document

Andrew notes that the audience section of 63-3 is blank.

We could use clarity from the authors on when the agency specific text applies.

Next week we will take the first cut at looking at the comments. We can package and submit them early if we're happy with them next week.

Note from Colin - think about the process with this. If we can share a thought as to how NIST can improve the process, but it is not always suitable for community comments that way. If we can think of a better suggestion we will suggest that.